Curing the BIND pain

Andy Dills andy at xecu.net
Thu Mar 27 20:12:50 UTC 2003


On Thu, 27 Mar 2003 Michael.Dillon at radianz.com wrote:

> I suggest that an appropriate technique would be for the BIND server to
> originate traffic on it's local subnet that would look suspicious and
> possibly trigger intrusion alarms. Send out some packets to the broadcast
> address. Do some portscanning of all addresses on the subnet. Find any
> open port 80 and retrieve a URL containing
> BIND/server/at/10.7.7.1/has/security/vulnerability, find any open port 25
> and send email to postmaster containing the same message, etc.

Better yet, why not just have it print to console "BIND INSECURE, UPGRADE,
SHUTTING DOWN THE SERVER NOW" and then halt? Far more likely to get
noticed.

> Not enough traffic to be a DoS but enough to show up in various logs in
> case someone is looking at some of them.

If you have somebody looking a firewall or IDS logs, you won't need to be
told to upgrade bind. Besides, plenty of networks who do stay current on
application security would miss a little pretend DOS.

The best solutions I can come up with all revert to the undesired "stop
working" solution, in effect.

My favorite notion, which I didn't even suggest because of Paul's mandate
that the solution not involve breaking bind, would be to return, in
response to every query, the IP address of a special website that says
"THE VERSION OF BIND ON YOUR NAMESERVERS IS VULNERABLE" or whatever, and
include instructions on how to upgrade.

Sure, it will break everything except http, and flood this webserver with
a ridiculous amount of unwanted traffic (bgp anycast with filtering
everything not destined for port 80, to help stem that a little?), but at
least people will know why nothing is working, once they fire up a
browser.

Looming large, of course, is the fact that people would have to upgrade to
get any of this "security upgrade" functionality. So we'd really be only
partially solving a problem in which we won't see any benefit for years to
come, which is usually enough impetus to kill a project these days.

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills                              301-682-9972
Xecunet, Inc.                           www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access




More information about the NANOG mailing list